The Data Protection Act 1998 applies to anyone holding information about living individuals. No matter if the information is held in hard copy, stored electronically, or online, the act still applies. The Information Commissioner must maintain a Register of Data Controllers according to the act. The Information Commissioner is an independent official appointed by the crown.
Small business may hold information on customers, employees, clients, suppliers or other members of the public. However, if you do hold this kind of information, the act applies to you. Make sure:
- You understand your obligations
- You find out if registration is required with the Information Commissioner.
Understand Your Obligations
Even if you do not need to register with the IC, if personal details are held, you are still bound to comply with the act. It makes good business sense to comply, as all eight principles (see below) can have a direct benefit for your business. For example, to send out an out of date mailshot not only annoys the customer, but it is a waste of time and money. Keeping data up to date is a direct benefit.
Other direct benefit examples are: extra credibility and goodwill created by having accurate information. Deleting out of date information frees up storage space. Keeping information secure protects you and your business from damage or possible legal consequence if data falls into the wrong hands.
Be aware of these two main obligations:
The principals of good information handling, and individual rights.
The Principals of Good Information Handling
The Act specifies eight principals related to good information handling. These must be followed. If your business uses personal information
it must:
- Be fairly, and lawfully, processed.
- Be processed for specific purposes.
- Be adequate, relevant and not excessive.
- Not be kept for longer than is necessary.
- Be processed in line with the rights of the individual.
- Be kept secure.
- Be transferred to countries outside the European Economic Area unless there is adequate protection for the information.
All members of staff need to be aware of these requirements. Existing procedures may need to be altered. Create new ones if need be. Ensure the principals are adhered to, as the Information Commissioner can take enforcement action to ensure compliance.
The data protection Act is not to be used to hide behind or use as an excuse. The Information Commissioner has issued this
useful guide dispelling a lot of the common myths.
Individuals' Rights
Under the Act all individuals are given certain rights to see information being help about them. They may correct it if wrong. Individuals can request to see any information. A response to a request must be made within 40 days. A fee of up to £10 is permitted to be charged for handling the request. For more information or help if you aren't sure email
mail@ico.gsi.gov.uk or phone the helpline on 01625545745.
Does Your Business Need To Register ('notify')
The data Protection act 1998 requires every controller processing personal data to notify unless they are exempt. You may be exempt if information for core business purposes are kept, i.e. for own your staff, marketing and accounting. This may be the case for most small business.
Failure to notify is a criminal offence. See the
Information Commissioner's notification page for more information or call notification help line on 01625545740.
Notification is for the duration of one year. Keep a note of the date registered and renew annually. Fee is currently £35.
This process is straightforward so the services of an intermediary or agency that may offer services. There is a warning on the Information Commissioners website stating that it is the only statutory authority for administering and maintaining the register. Also all correspondence always bears the address: Wycliffe House, Water lane. Wilmslow, Cheshire.
More Information
Full details on the Data Protection Act and the Information Commissioner's role is found at
www.informationcommissioner.gov.uk
Good Practice Notes are published by the Information Commissioner to tackle common misunderstandings. Frequently Asked Questions about data protection are also answered.
If you employ staff use this
Quick Guide to the Employment Practices Code. It is designed to assist small businesses comply with the Act during staff recruitment and employment.